<<Include(UserDays/Header)>>

= User Days Seahorse and GPG Session =

=== Encryption ===
 * Symmetric 
 {{attachment:symmetric_lock.png}}
 * Public Key Cryptography 
 {{attachment:pki_lock.png}}

=== Implementations ===
 I. SSH
 I. GnuPG
 I. SSL/TLS

=== Uses in Ubuntu ===
 I. Repositories
 I. PPAs
 I. Code of Conduct

=== Seahorse/Gnome Keyring ===
{{attachment:Seahorse.png}}
 I. Creating GPG keys
 {{attachment:Seahorse-New-PGP.png}}
 {{attachment:Seahorse-PersonalKeys-Fingerprint.png}}
  I. exporting to keyserver
  {{attachment:Keyserver-Lookup.png}}
  I. import from keyserver
  {{attachment:Seahorse-Found.png}}
  I. key signing
  {{attachment:Seahorse-PGP-Sign.png}}
 I. Creating SSH keys
 {{attachment:Seahorse-New-SSH.png}}
  I. Setup with remote server
 I. Password management
 {{attachment:Seahorse-New-Password.png}}
  I. login keyring

=== Uses by Users ===
 I. File encryption
  I. archives (tar.gz)
  {{attachment:Nautilus-Encrypt.png}}
 I. Email
 {{attachment:Evolution-Account-Security.png}}
  I. Encryption
  I. Signing
  {{attachment:Evolution-Email-Signature.png}}
 I. SSH

=== Session Logs ===
{{{#!IRC
=== cjohnston changed the topic of #ubuntu-classroom to: Ubuntu Classroom || Ubuntu User Days | Current Session: Seahorse and GnuPG ~~ Presented by mhall119 || Please ask questions in #ubuntu-classroom-chat || Ubuntu User Days Survey: http://www.surveymonkey.com/s/WQWHJQY
[18:00] <cjohnston> Our next speaker is another member of the Ubuntu Florida LoCo team!
[18:00] <cjohnston> Michael Hall has been working in software development for 10 years. He has been a Desktop Linux user for 6 years, the last 4 being on Ubuntu.
[18:00] <cjohnston> He is the main developer of Qimo, an Ubuntu-derived Linux Distribution for kids. He currently spends his days doing Python development for the
[18:00] <cjohnston> Moffitt Cancer Research Center in Tampa, FL.
[18:01] <mhall119> thanks cjohnston
[18:02] <mhall119> so I'm going to be talking about cryptography, what it is and how it's used by Ubuntu
[18:02] <mhall119> and also how it can be used by you
[18:03] <mhall119> if you go over to my notes for this session, there's some helpful images and screenshots https://wiki.ubuntu.com/UserDays/01232010/SeahorseGPG
[18:04] <mhall119> so there are two types of encryption in regular use
[18:04] <mhall119> in the past, the most often used form was symmetric cryptography
[18:04] <mhall119> what this means it that you have one key, and that key is used to both encrypt and decrypt the data
[18:05] <mhall119> much like a physical lock
[18:05] <mhall119> so, if you want to use that to securely send a box to someone, you need to send them the box, the lock, and a copy of the key
[18:06] <mhall119> now, the problem is that you have a much harder time keeping that key safe, because it's having to be passed around, or you have to give out multiple copies
[18:07] <mhall119> and if you send them all together, then it defeats the purpose of locking the box in the first place
[18:07] <mhall119> so some time ago some very smart people developed an alternative method called public key cryptography
[18:08] <mhall119> and what makes that different is that instead of one key, you have two
[18:08] <mhall119> and those two keys are different, but related
[18:09] <mhall119> specifically, they are used in a new kind of lock, and if you use one of the keys to lock it, then only the other key can unlock it
[18:10] <mhall119> now, the reason it's called "public key" cryptography is because you make one of these keys publicly available, to anyone that wants it
[18:10] <mhall119> and you keep the other one completely private, you never give it to anybody, you don't let anybody see it
[18:11] <mhall119> so now if you want to send a box to your friend, you get their public key (which they made available to everyone), and you use that to lock the box
[18:11] <mhall119> and because you used their public key to lock it, only their private key can be used to unlock it.  Not even the key you used to lock it can unlock it
[18:12] <mhall119> so now you can send the locked box over an unsecured route like the post office, knowing that the only person in the world who has a key that can unlock it is your friend
[18:13] <mhall119> for added security, you can lock the box twice
[18:13] <mhall119> once as before, using your friend's public key
[18:13] <mhall119> and then again, using your private key
[18:13] <mhall119> and what that does is not only let you know that only your friend can open it
[18:14] <mhall119> but now your friend, using your public key to unlock it, knows that you are the only person in the world who could have sent it
[18:14] <mhall119> any questions so far?
[18:15] <mhall119> oskude> as i haven't ever had something i would need to be a secret that only a key can open... where do you need this ?
[18:15] <mhall119> very shortly I'm going to show you how this is used in Ubuntu, and the benefits it gives you
[18:16] <nigelbabu> question - how strong should a key be? in your screenshots you use strength 768
[18:16] <mhall119> okay, so public key cryptography has several implementations
[18:16] <mhall119> the key strenght is up to you, I used the default values in my screenshots
[18:17] <mhall119> the larger the key, the longer it would take some evil government to crack it
[18:17] <mhall119> but it also takes longer for it to encrypt and decrypt things
[18:17] <mhall119> so it's a judgement call, what level of security do you need?
[18:18] <mhall119> so, Ubuntu has a few implementations of this
[18:18] <mhall119> SSH, or the secure shell, which provides an encrypted connection between two boxes similar to telnet
[18:19] <mhall119> GnuPG, which is an open source implementation of PGP (Pretty Good Privacy), which is used to sign and encrypt files and email
[18:19] <cjohnston> < Brot1> and which key length is recommended?
[18:19] <mhall119> and SSL, which you should all be familiar with, is the underlying technology behind HTTPS
[18:19] <mhall119> I personally use 4096 bit keys, which is probably overkill, but I'm not encrypting things where speed of encryption matters
[18:20] <mhall119> for something like SSL or SSH, it might slow you down slightly
[18:20] <mhall119> I'm sure there's plenty of references on the internet with people arguing for or against larger keys
[18:21] <mhall119> okay, moving on
[18:21] <mhall119> Ubuntu uses these technologies for some of it's underlying systems
[18:21] <mhall119> the repositories that feed apt and synaptic are secured through GPG
[18:22] <mhall119> every package on them is signed by Canonical
[18:22] <mhall119> so that means that you can verify that every package you download hasn't been modified by someone else
[18:23] <mhall119> even if someone hacked into the repository server,and replaced packages with their own that contained a virus
[18:23] <mhall119> it wouldn't let you install it, because the signature wouldn't match
[18:23] <mhall119> the same goes for the PPA (personal package archives) available on Launchpad
[18:24] <mhall119> those packages aren't signed by Canonical, but rather the owner of the PPA
[18:24] <mhall119> so if you trust the owner of the PPA not to include a virus or trojan in their packages, you add their public key to your system, and that will be used to verify their packages
[18:25] <mhall119> finally, if you want to become a contributor to Ubuntu, you will need to sign the code of conduct
[18:26] <mhall119> and that requires that you use your private key to "sign" the actual CoC file
[18:27] <mhall119> signing doesn't encrypt the data, but rather is creates a short encrypted "signature" of the data, which when checked with the other key in the pair, will tell someone that the plain text message matches what the sender signed
[18:27] <mhall119> any questions before we move on?
[18:28] <mhall119> great
[18:28] <mhall119> now for the fun part
[18:28] <mhall119> Under Applications->Accessories you will find "Passwords and Encryption Keys"
[18:28] <mhall119> this is a graphical frontend to GnuPG called Seahorse
[18:29] <mhall119> and it will let you manage your PGP and SSH keys, and also will store passwords for you so that you don't have to remember them all
[18:30] <mhall119> so now we're going to walk through creating a private and public key of your very own
[18:30] <mhall119> Go to File->New
[18:30] <mhall119> and select PGP Key
[18:30] <mhall119> Put in your Name, email, and a comment
[18:31] <mhall119> you can see in my screenshot that I made one specifically for this session
[18:31] <mhall119> under the "Advanced" settings is where you can is where you can set the type and length of the key
[18:32] <mhall119> so fill that out and press the create button
[18:32] <mhall119> this will take a few minutes, depending on your CPU speed and key size
[18:32] <mhall119> so we'll stop for questions
[18:32] <mhall119> if there are any
[18:33] <mhall119> again, you can follow along with the screenshots here if you aren't actually making the keys: https://wiki.ubuntu.com/UserDays/01232010/SeahorseGPG
[18:34] <_marx_> QUESTION If I lose or forget the passphrase will i have to make a new key?
[18:34] <mhall119> yes
[18:34] <mhall119> you can change the passphrase if you want, but you will need to know the old one to do so
[18:34] <mhall119> do not forget your passphrase, and do not lose your private key, or you will need to make new ones
[18:35] <mhall119> and your old public key will not no longer be usable
[18:35] <_marx_>  question - what is the diference with DSA (elgamal) and DSA (only sign)
[18:35] <mhall119> I'm not really sure what DSA (elgamal) is
[18:36] <cjohnston> < somnoliento> QUESTION What's the relationship between this PGP keys and the keyring (a common dialog in ubuntu sessions)
[18:36] <mhall119> you can ignore the (only sign), those are flags for users, you can still encrypt with those keys
[18:36] <mhall119> good question
[18:37] <mhall119> a keyring is a single place to store multiple keys
[18:37] <mhall119> your GnuPG keyring contains your private keys, your public keys, and the public keys of other people you know
[18:38] <mhall119> alright, we're gonna have to move one due to time
[18:38] <mhall119> if anyone is still generating keys, you can follow along with the screenshots
[18:38] <mhall119> once you have your key, you can view it's properties
[18:39] <mhall119> you should note the Key ID and Fingerprint for your key, you will use them later
[18:39] <mhall119> now, it's time to make your public key public
[18:40] <mhall119> select your new key, and goto Remote->Sync and publish keys
[18:40] <mhall119> click on the Key Servers button to see the public keyservers available
[18:41] <mhall119> on the "Publish keys to: " drop down, select the ubuntu server
[18:41] <mhall119> you also have two more options here
[18:42] <mhall119> you can have your system automatically check these key servers for a person's public key when you recieve something encrypted or signed by them
[18:42] <mhall119> you can also have it automatically sync the public keys in your keyring if you change them
[18:42] <mhall119> it's up to you if you want to enable those, I do for convenience
[18:43] <mhall119> okay, now close that dialog and click the Sync button
[18:43] <mhall119> this will upload your public key to the ubuntu keyserver
[18:43] <mhall119> and it will eventually be sent to the other public keyservers too, as they all share key data
[18:44] <cjohnston> < oskude> QUESTION - i assume there is no confirmation screen after "sync" ?
[18:44] <mhall119> you can check that your key has been uploaded by going to the web interface: http://keyserver.ubuntu.com:11371/ and doing a search on your name
[18:44] <mhall119> no, I don't think there is a confirmation on sync
[18:44] <mhall119> it may take a few minutes to get published
[18:46] <mhall119> alright, now we need to get someone's public key from those keyservers
[18:46] <mhall119> back in Seahorse, go to Remote->Find Remote Keys
[18:47] <mhall119> and search for "Ubuntu User Day"
[18:47] <mhall119> you will see a few of them now, as it seems some of you used the same comment I did :)
[18:47] <mhall119> my key, as you saw in the screenshots, has id 08FBB574
[18:47] <cjohnston> < Yos> Question is there a way to delete from these keyservers obsolete public keys
[18:48] <mhall119> right-click that and select Import
[18:48] <mhall119> cjohnston, I don't think so, when a key is obsolete, you generally add it to a published "revokation" list
[18:48] <mhall119> so that people know it was explicitly removed from use
[18:49] <mhall119> alright, now if you go to the "Other Keys" tab, you should see my User Day key there
[18:49] <mhall119> double-click that to view it's properties
[18:50] <mhall119> now for some more magic
[18:50] <_marx_> 10 minutes
[18:50] <mhall119> if you go to the Trust tab you can sign my public key with your private key
[18:50] <mhall119> and what this does it let other people know that you believe that key belongs to me
[18:50] <mhall119> so even if someone else doesn't know that, if they trust you, then they can be assured
[18:50] <mhall119> wow, 10 minutes left, okay the next will have to go by fast
[18:51] <mhall119> I'm gonna skip the ssh and password parts, they're pretty straight forward, you can see the screenshots
[18:51] <mhall119> now, you can integrate your new PGP key into Evolution to sign and encrypt outgoing email
[18:52] <mhall119> and also to decrypt and verify incoming email
[18:52] <mhall119> in Evolution, go to Edit->Preferences and select your account
[18:52] <mhall119> on the Security tab, you can put the key id from your key, and evolution will use that
[18:53] <mhall119> when someone sends you an encrypted or signed email, Evolution will display an icon at the bottom telling you the state of it
[18:53] <mhall119> whether it was valid, and who it was from
[18:54] <mhall119> finally, if you install the package seahorse-plugins, you will have extra options in Nautilus and GEdit to sign or encrypt
[18:54] <mhall119> in nautilus, you can right-click any file (not folder) and encrypt it
[18:54] <mhall119> if you want more than one file, compress them into a .zip or .tar.gz and encrypt that
[18:55] <_marx_> 5 minutes
[18:55] <mhall119> and from Gedit, under the Edit menu will be options to sign/encrypt/decrypt and verify
[18:55] <mhall119> alright, any questions in the last 5 minutes?
[18:55] <pleia2> < oskude> QUESTION - Should i copy that "Key ID" (8 characters) row from Seashore (Passwords and Encryption Keys) or right click and select copy (gets a longer string) ? (for the evolution settings)
[18:55] <_marx_> QUESTION - Should i copy that "Key ID" (8 characters) row from Seashore (Passwords and Encryption Keys) or right click and select copy (gets a longer string) ? (for the evolution settings)
[18:55] <mhall119> just the key id
[18:56] <mhall119> anything else?
[18:56] <mhall119> you have my email address now (it on my public key), so you can always email me for more questions
[18:56] <mhall119> or find me in #ubuntu-us-fl just about any time
[18:57] <mhall119> okay, well thank you all for coming, and enjoy your new cryptographic powers!
}}}